8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
1/29
ISO/IEC 20000 Auditor
3Application, Eligibilityand Scoping
Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
2/29
ISO/IEC 20000 Auditor
Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
3/29
ISO/IEC 20000 Auditor
Module 3
Application, Eligibility and Scoping
Copyright 2006, Quint Wellington Redwood age 3 ! 3
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
4/29
ISO/IEC 20000 Auditor
page 3 - 2
Application o" #S$%#EC 20000
& 'u(ine((e( that are going out to tender "or their (er)ice(
& 'u(ine((e( that re*uire a con(i(tent approach by all (er)ice
pro)ider( in a (upply chain
& +o benchar- their #+ (er)ice anageent
& A( the ba(i( "or an a((e((ent leading to certi"ication
& +o deon(trate the ability to pro)ide (er)ice( that eet
cu(toer re*uireent(
& +o ipro)e (er)ice through the e""ecti)e application o"
proce((e( to onitor and ipro)e (er)ice *uality.
The standard may be used for among others:
by businesses that are going out to tender for their services
by businesses that require a consistent approach by all service providers in a supply chain
by service providers to benchmark their IT service management
as the basis for an assessment which may lead to a formal certification
by an organization who needs to demonstrate the ability to provide services that meet customerrequirements
by an organization which aims to improve service through the effective application of processes to
monitor and improve service quality
age 3 ! 4 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
5/29
ISO/IEC 20000 Auditor
page 3 - 3
#S$%#EC 20000 Certi"ication
& Step /
Are you eligible
& Step 2
What i( the (cope
& Step 3
1o you eet the (tandard
The following slides will discuss the certification process which is split in three main steps.
Step 1
o Are you eligible?
Step 2
o What is the scope?
Step 3
o Do you meet the standard
ISO/IEC 20000 is closely related and complementary to the ISO 9001 Quality Management standard.Therefore service providers that have acquired certification to this standard may have already fulfilledsome of the mandatory requirements of ISO/IEC 20000 as long as the scoping of the ISO 9001certification audit includes the scope of the ISO/IEC 20000 audit. This is also true for other standardssuch as the Information Systems Security standard ISO 17799.
Copyright 2006, Quint Wellington Redwood age 3 !
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
6/29
ISO/IEC 20000 Auditor
page 3 - 4
Eligibility
& Eligibility i( ba(ed on the etent and degree o" anageentcontrol that the (er)ice pro)ider ha( o)er the #S$%#EC 20000
proce((e(
& +he organi(ation u(t be able to deon(trate that it ha(
anageent control o" all o" the proce((e( de"ined within the
#S$%#EC 20000 (tandard
& 4anageent control o" a proce(( con(i(t( o"5
nowledge and control o" input(
nowledge, u(e and interpretation o" output(
1e"inition and ea(ureent o" etric(
1eon(tration o" ob7ecti)e e)idence o" accountability "or proce(("unctionality in con"orance to the #S$%#EC 20000 (tandard
1e"inition, ea(ureent and re)iew o" proce(( ipro)eent(
Eligibility is based on the extent and degree of management control that the service provider has over theISO/IEC 20000 processes. In order to be eligible for certification within the ISO/IEC 20000 scheme aservice provider must be able to demonstrate management control of all of the processes containedwithin the ISO/IEC 20000 standard.
In order for a Service Provider organization to achieve certification under the ISO/IEC 20000 scheme itmust be able to demonstrate that it has management control of all of the processes defined within theISO/IEC 20000 standard. For this purpose management control of a process consists of:
Knowledge and control of inputs
Knowledge, use and interpretation of outputs
Definition and measurement of metrics
Demonstration of objective evidence of accountability for process functionality in conformance to the
ISO/IEC 20000 standard
Definition, measurement and review of process improvements
The first two aspects to be considered and agreed when a service provider is seeking to achievecertification under the Scheme are:
is the service provider eligible for certification under the Scheme?
if the service provider is eligible for certification, then what is the scope of the processes beingaudited?
age 3 ! 6 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
7/29
ISO/IEC 20000 Auditor
page 3 - 5
Why Scope
& +he certi"icate (hould not intentionally or unintentionally iplythat the organi(ation ha( capabilitie( o)er and abo)e tho(e
co)ered by the audit
& +he cu(toer( u(t be able to rely on the certi"icate
It is assumed that the organization seeking certification is the Service Provider organization, either ISP orESP as illustrated in the figure below. However, in reality many organizations have multiple roles and mayappear with different functionality in different scenarios. Therefore a single organization may appear as anEUO (End User Organization), ISP, ESP or supplier dependent upon the supply chain being considered.Scoping of the audit and certification are therefore crucial to the whole process.
Figure - ISO/IEC 20000 relationship between providers and suppliers
Copyright 2006, Quint Wellington Redwood age 3 ! 8
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
8/29
ISO/IEC 20000 Auditor
A number of definitions associated with the components illustrated in the figure are contained within thefollowing list:
The Business:
The Business: an overall corporate entity or organization formed of a number of business units
which provide a set of products or services. The Business Unit: is a segment of the business entity by which both revenues are received and
expenditure are caused or controlled, such revenues and expenditure being used to evaluatesegmental performance
The End User : the recipient of a service, a person using the service on a day-to-day basis
The Customer : the recipient of service(s), usually customer management has responsibility for
funding the service, either directly through charging or indirectly through demonstrable businessneed
The End User Organization (EUO): an organization which is a recipient of a product or a service
from the service provider and consists of both customers and end users
The Service Provider:
The Service Provider: the unit responsible for theprovision of IT services. The Service Provider
supplying services to Customers can be either internal (Internal Service Provider - ISP) or external(External Service Provider - ESP).to the overall organization being considered for certification. Thismay also include outsourcing service provider organizations or co-sourcing service providerorganizations, working in partnership with other service provider and supplier organizations.
The Services:
Service(s): a set of IT service provided to an End User Organization
Managed Service(s): a set of services provided by an External Service Provider to the End User
Organization of a separate organization
The Suppliers:
The Supplier: a third party responsible for supplying underpinning elements of the IT services.
These suppliers may range from commodity hardware or software vendors, through network serviceproviders and major hardware and software manufacturers to major outsourcing organizations andstrategic partnering relationships.
The ead Supplier: a third party responsible for supplying underpinning elements of the IT services.
Lead suppliers use subcontracted supplier(s) to assist in the delivery of their elements of ITservice(s).
The Su!contracted Supplier: a third party responsible for supplying underpinning elements of a
service supplied by a lead supplier.
The "T "n#rastructure:
The "T "n#rastructure: the Information Technologies (IT) components or Information Communications
Technologies (ICT) components (hardware, software, products etc.) necessary for the delivery ofservices to the users. It is the convergence of Information Technology, Telecommunications and DataNetworking Technologies into a single integrated technology
"T "n#rastructure i!rar$ ("T"): A set of guides containing best practice guidelines on the
management and provision of operational IT services
age 3 ! 8 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
9/29
ISO/IEC 20000 Auditor
page 3 - 6
Scoping guideline(
& 4ay be an entire organi(ation or part o" an organi(ation
& 4ight rely on e)idence or contribution( "ro other (upplier
organi(ation(
& 9or certi"ication, it i( uniportant whether the proce((e( are
er"ored entirely by a (ingle Ser)ice ro)ider, or
er"ored partly by other organi(ation(
When seeking certification a Service Provider should decide the scope of the service to be audited andagree this with the ISO/IEC 20000 auditor in advance of the audit. The scoping statement should bevalidated by the auditor, referenced in the audit report and the scope stated on any ISO/IEC 20000certificate.The Service Provider seeking certification may be an entire organization or part of an organization. Forcertification, it is unimportant whether the processes within the scope of the audit are performed entirelyby a single Service Provider or performed partly by other organizations. Certification of one ServiceProvider might rely on evidence or contributions from other supplier organizations.
Those who wish to take assurance from a Service Providers certificate might ask to see the scope of aISO/IEC 20000 certification. It is therefore important that this is unambiguous and accurate. Thecertificate should not intentionally or unintentionally imply that the certified Service Provider hascapabilities over and above those covered by the assessment. The auditor should ensure that thedeclared scope accurately describes the actual scope of the audit. If at any time during a ServiceProviders certification cycle (e.g. during repeat audit checks) the auditor determines that the declaredscope has changed, then the certificate, and possibly the basis of the certificate, will need to be amended,including the scope. The terms of a service contract cannot remove or reduce the obligation on theauditor to obtain sufficient appropriate evidence of conformity to the specified requirements. It mighttherefore be necessary for the Service Provider being audited to obtain supporting evidence or assistancefrom suppliers, involved in the delivery of the service(s) in question, in order for the Service Provider itselfto demonstrate compliance with all areas of ISO/IEC 20000 and for the audit to be satisfactorilycompleted.
With regard to scoping of the certification then due consideration should be given to the areas beingreviewed in terms of:
the geographical aspects involved, such as an office, group of offices, a region a country, globally,
etc.
the organizational aspects involved, such as a department, a group of departments, all departments,
etc.
the service aspects involved, such as a service, a group of services, a section of the service
catalogue, all services, etc
Copyright 2006, Quint Wellington Redwood age 3 ! :
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
10/29
ISO/IEC 20000 Auditor
page 3 - 7
1e)eloping a (cope (tateent
& +he (cope (tateent (hould eplicitly co)er5
Ser)ice( encopa((ed by the audit
e.g. one (er)ice, a group o" (er)ice(, a (ection o" the (er)ice catalog,
all (er)ice(
Any geographical or location boundarie(
e.g. one (ite % o""ice, a group o" o""ice(, a regional or national
boundary
$rgani;ational or "unctional boundarie(
e.g. one departent, a group o" departent(, all departent(
Any out(ourced proce(( coponent(
e.g. the per"orance data collection eleent( o" Capacity
4anageent
The scoping statement should explicitly cover:
the services encompassed by the audit
any geographical or location boundaries (e.g. a site, a regional or national boundary)
organizational or functional boundaries
any outsourced process components (e.g. the performance data collection elements of Capacity
Management)
As a guideline a service provider should be able to easily provide the following: clear definition of the scope of the services and infrastructure within the scope of ISO/IEC 20000 audit
the interfaces between processes, with clarity on how they are controlled by the service provider.
With ISO/IEC 20000 it is really important that people realize how the processes interface and interactwith each other and are controlled overall, including key process contacts within other organizations.A service provider with a full set of good processes each operating in isolation, is not good enough toachieve certification
information on the role of and the interfaces to other organizations, involved in the overall service
delivery, including any of the service providers customers and suppliers.
If a service provider can't produce this information easily at high level they are probably not suitable forISO/IEC 20000 certification at this stage, as this indicates inadequate overall service managementprocesses and they are very unlikely of being capable of passing the audit.
The certificate awarded would eventually be limited to the services stated within the agreed audit scope,which might not be the whole Service Provider organization. All audit certificates have a scope, and theISO/IEC 20000 series advises people to check the scope if they intend to accept ISO/IEC 20000 asevidence of good service management (e.g. in a due diligence stage).
Often Service Providers may wish to acquire ISO/IEC 20000 for a scope which represents a small part oftheir total organization. This is acceptable within the Scheme as long as the Service Provider is operatinga management system in compliance with the requirements of the ISO/IEC 20000 standard. Care shouldbe taken to ensure that this is the case for small sections of large Service Provider organizations.
age 3 ! 10 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
11/29
ISO/IEC 20000 Auditor
Similarly, if a Service Provider is seeking certification but does not have management control over allprocesses, they should be informed that ISO/IEC 20000 is not appropriate. A Service Provider such as anoutsourcing company and their EUO therefore cannot both get separate certificates for the same set ofservice management processes
Clearly the scope of each certification is very important. It is used to describe the extent of the certificationwithin the certified organization. The ISO/IEC 20000 certification relates to the service managementprocesses and the management system used to deliver IT services and therefore the scope shouldindicate that. For example if organization A has been certified for the provision of all internal IT servicesthe certificate scope should be:
_The IT Service Management System that supports the provision of SERVICES toCUSTMERS !ithin the technical and organi"ational #oundaries of $E%&$ E'TIT( and$C&TI'S)
Optionally this may also include an additional sentence:
This is in accordance !ith *$E%&$ E'TIT(+s* *SERVICE C&T&$%UE or SERVICEM&'&%EME'T ,$&'* and includes all IT service management processes and the managementcontrol of those interfaces that support them)*
Copyright 2006, Quint Wellington Redwood age 3 ! //
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
12/29
ISO/IEC 20000 Auditor
page 3 - 8
& Electronic ata S!"te#" $ES% i" a certi&ied organi"ation undert'e itSM( )S*5000 Certi&ication "c'e#e+
& ,'e certi&icate a" i""ued on *"t .une 2005 ! EMA
& ,'e "cope o& certi&ication i"1
The IT Service Management System that covers the provision of "Theintegration, delivery and maintenance of end-to-end IT infrastructure
services (Computer and Networ !perations from within the
#oundaries of $%S IT! Netherlands"& This is in accordance with the
$%S service catalogue and includes all IT service management
processes and the management control of the interfaces that
support them
& ,'e location o& t'e certi&icate1 Electronic ata S!"te#" $ES%
In&or#ation ,ec'nolog! Out"ourcing $I,O%+ Spieni""e ,'e
et'erland"
Eaple (coping (tateent /
age 3 ! 12 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
13/29
ISO/IEC 20000 Auditor
page 3 -
Eaple (coping (tateent 2
& ,ata Iron and Steel Co#pan! td i" a certi&ied organi"ation under t'eitSM( )S *5000 Certi&ication Sc'e#e+ ,'e certi&icate a" i""ued !
S,C $India% on *5 (eruar! 2005+
& ,'e "cope o& t'e certi&ication i"1
"Provision of Network and Communication Services, IT
infrastructure and Tools, Project support services and
Maintenance of Software applications."
& ,'e location co9ered ! t'e certi&ication i" ,atanager India
Copyright 2006, Quint Wellington Redwood age 3 ! /3
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
14/29
ISO/IEC 20000 Auditor
page 3 - *0
& In&or#ation Manage#ent Center C'ung S'an In"titute o& Science and
,ec'nolog! i" a certi&ied organi"ation under t'e itSM( )S *5000
Certi&ication Sc'e#e+
& ,'e certi&icate a" i""ued on *0 Octoer 2005 ! :+
& ,'e "cope o& t'e certi&ication i"1
'rovision of Information Infrastructure Services for ManagementInformation System (MIS including %ata )ase, *pplication Serversand Networs& rovision of !ffice *utomation (!* Servicesincluding Internet *ccess Service, Intranet $-Mail $+change Serviceand ortal service& rovision of Information Security Servicesincluding ulnera#ility *ssessment, Intrusion %etection,Certification *uthority, irewall Management and irus rotection&.
& ocation1 )uilding 702 ;"in-;"in )arrac OC+
Eaple (coping (tateent 3
age 3 ! 14 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
15/29
ISO/IEC 20000 Auditor
page 3 - **
& ?ipro ,ec'nologie" @loal Co##and Centre i" a certi&ied organi"ationunder t'e itSM( )S *5000 Certi&ication Sc'e#e+ ,'e certi&icate a"i""ued on 27 (eruar! 2004 ! : Certi&ication td+
& ,'e "cope o& t'e certi&ication i"1
"IT Infrastructure Service Management for eternal clients,provided ! t#e $lo!al Command Centre %$CC& in 'angalore,covering t#e following services() Monitoring, *dministration,+iagnostics, Performance, *nalsis and eporting"
& ,'e location co9ered ! t'e certi&ication i"1
Electronic City, Wipro +echnologie(, lot
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
16/29
ISO/IEC 20000 Auditor
page 3 - *2
Eaple (coping (tateent
& ;C Co#net td i" a certi&ied organi"ation under t'e itSM( )" *5000
Certi&ication Sc'e#e+ ,'e certi&icate a" i""ued on 3 .anuar! 2005 ! :
td
& ,'e "cope o& t'e certi&ication i"
"rovision of networ monitoring and Management Services at /lo#alManagement Centre, Noida 0 rovision of end to end IT infrastructureServices Management comprising of IT Service %es, %estop Services,%estop *pplication ($+change, Citri+, IIS, Send mail, 1*N23*NManagement, Security, oice 0 ideo Conferencing $4uipmentManagement, Server Installation and Management of various !peratingSystems and %ata Centre !perations at !ffshore Management Centre-
*M%, Noida and %5 Centre, Chennai&"
& ,'e location co9ered ! t'e certi&ication i"
Chennai, #ndia ?
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
17/29
ISO/IEC 20000 Auditor
page 3 - *3
Eaple (coping (tateent 6
& ;elett-oad )angalore India 45/*4 ,u#ur >oad a"'antpur II Stage )angalore India
Copyright 2006, Quint Wellington Redwood age 3 ! /8
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
18/29
ISO/IEC 20000 Auditor
page 3 - *4
$ther Con(ideration(
& Can only be awarded to a (ingle legal entity
&
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
19/29
ISO/IEC 20000 Auditor
page 3 - *5
Scoping Eaple /
OrganiBation *- $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
20/29
ISO/IEC 20000 Auditor
page 3 - *6
Scoping Eaple 2
OrganiBation 2- $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
21/29
ISO/IEC 20000 Auditor
The Service Desk supplier cannot get certified for its external Service Desk services as the standard doesnot relate to products and services. However, they can get their internal processes certified as long as allof the requirements of the ISO/IEC 20000 standard are met.
Copyright 2006, Quint Wellington Redwood age 3 ! 2/
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
22/29
ISO/IEC 20000 Auditor
page 3 - *7
Scoping Eaple 3
OrganiBation 3 - $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
23/29
ISO/IEC 20000 Auditor
page 3 - *8
Scoping Eaple >
OrganiBation 4 - $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
24/29
ISO/IEC 20000 Auditor
measurement of process metrics, process conformity to ISO/IEC 20000 and definition andmanagement of process improvements.
ote: In this particular example it would also be possible for the Service Desk organization to gaincertification, provided all of its internal Service Mgt processes conform to ISO/IEC 20000 requirements.However, the certificate must be carefully scoped to state that this is the case and the certification impliesnothing about the quality of service provided by the Service Desk itself.
age 3 ! 24 Copyright 2006, Quint Wellington Redwood
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
25/29
ISO/IEC 20000 Auditor
page 3 - *
Scoping Eaple
OrganiBation 5 - $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
26/29
ISO/IEC 20000 Auditor
page 3 - 20
Scoping Eaple 6
OrganiBation 6 - $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
27/29
ISO/IEC 20000 Auditor
page 3 - 2*
Scoping Eaple 8
OrganiBation 7 - $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
28/29
ISO/IEC 20000 Auditor
page 3 - 22
Scoping Eaple B
OrganiBation 8 - $End "er OrganiBation- EO%
)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit
Internal I, Ser9ice
8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14
29/29
ISO/IEC 20000 Auditor
page 3 - 23
Que(tion(